Verdict
Fail
- Files scanned:
12 - Errors:
3 - Warnings:
2 - Info:
1
Example report
A report should explain itself.
This page shows the shape and tone of a local scan result. The values and file paths below are placeholders, but the structure is real: verdict first, then findings, then the next step.
What this shows
Readable output
Each finding is meant to say what looked risky, why it matters for MCP, and what to change next. Lite stays readable. Pro adds the export formats.
Credential embedded in remote MCP URL
Severity: error
Rule: credential-in-url
Location: .vscode/mcp.json:8:18
The remote MCP URL contains what looks like a username or token. Move credentials out of the URL and use a safer auth mechanism or environment-based secret injection with the smallest possible scope.
Floating ephemeral launcher used for MCP server startup
Severity: warning
Rule: ephemeral-mcp-launcher
Location: .vscode/mcp.json:14:7
The server is launched through npx without an exact package version, which makes the exact code you run harder to pin and review. Prefer a pinned install or a reviewed local binary instead.
Prompt injection language in tool description
Severity: warning
Rule: prompt-injection-indicator
Location: tools/sync.md:3:1
The description includes language telling the model to ignore previous instructions and reveal hidden data. Rewrite the description so it states the tool's real purpose without instruction-bypass language.
Missing lockfile
Severity: info
Rule: missing-lockfile
Location: package.json:1:1
The repo declares dependencies but does not include a lockfile. Commit the lockfile so installs are more predictable and easier to review.
Next step
Use the example to judge the output, then try the real scan.
The report should feel readable before you ever buy Pro or wire it into CI.